Free Trial

Safari Books Online is a digital library providing on-demand subscription access to thousands of learning resources.

  • Create BookmarkCreate Bookmark
  • Create Note or TagCreate Note or Tag
  • PrintPrint
Share this Page URL
Help

4. Securing your Message Exchange > Encrypting and decrypting a message

Encrypting and decrypting a message

Encrypting and decrypting a message In certain communication scenarios between two parties, you may need an encryption mechanism for outbound messages, as well as a decryption mechanism for the inbound messages. Information in messages can be of a sensitive nature or bound to privacy law. This can be data such as social security numbers, bank account numbers, addresses, phone numbers, and so on. The BizTalk Server offers encryption capabilities using certificates. These certificates contain cryptographic key pairs consisting of a public and a private key. The owner of a certificate, for instance BizTalk, can share the public key with communication partner(s). These partners use that public key to encrypt their messages. As the message can only be decrypted with the corresponding private key, the partner(s) are certain that the message can only be decrypted by the owner of the certificate. This means that the private key has to be kept secure and should be protected by the owner. BizTalk can send secure, encrypted messages to partners by using the public key certificate of each of them. A host can have many public keys for sending encrypted messages, but it can only use one certificate for decrypting messages. The following table describes the keys and certificates that need to be installed for encrypting and decrypting messages:


Every certificate contains a unique identifier called a thumbprint, which BizTalk uses to identify the correct certificate. The thumbprint is calculated by applying a hashing algorithm to the certificate. Thumbprints are used while configuring a host or a Send port. Getting ready For this recipe, you will need the public key certificate from the party that will receive the encrypted message or create your own certificate. How to do it... To be able to send encrypted messages, you will need to install the certificate in the Local Computer\Other People store. Then the following steps have to be performed: Create a new BizTalk project and add a new send pipeline by right-clicking on the project. Select Add New Item and Send Pipeline from the Add New Item dialog. Give the pipeline a descriptive name.Drag the MIME/SMIME encoder component from the BizTalk Pipeline Components section of the Toolbox to the Encode stage of the send pipeline (refer to the Signing and verifying a message recipe earlier in this chapter).Select and right-click on the component, and select Properties. Change the value of the Enable encryption property from False to True. Choose the Encryption algorithm you desire (the options are, from strong to weak, DES3, DES, or RC2): Sign the project with a strong name.Subsequently, go to the deployment and give an appropriate name to the application.Build and deploy the BizTalk project.Create a Send port to deliver the message to the recipient, using any transport adapter desired. The sample code provided with this book uses the File adapter.Create a Send port and give it a descriptive name. Select an appropriate Adapter and choose the send pipeline you deployed.In the Send port, choose Certificate and select the Public-key Certificate of the message receiver for the Certificate Name property. To be able to receive encrypted messages, you will need to obtain a certificate from the CA containing a private key, or create one using the MakeCert.exe command-line tool. Then, the following steps have to be performed: Create a new BizTalk project and add a new receive pipeline by right-clicking on the project. Select Add New Item and Receive Pipeline from the Add New Item dialog. Give the pipeline a descriptive name.Drag the MIME/SMIME decoder component from the BizTalk Pipeline Components section of the Toolbox to the Decode stage of the receive pipeline (refer to the Signing and verifying a message recipe earlier in this chapter).Select and right-click on the component, and select Properties: Sign the project with a strong name.Subsequently, go to the deployment and give an appropriate name to the application.Build and deploy the BizTalk project.Create a Receive port and a receive location to accept the encrypted message from the sender, using an appropriate transport adapter. Give a descriptive name to the port and the receive location.Open the BizTalk Administration Console, and navigate to Platform Settings. Select Host Instances. Right-click on the BizTalk host that will receive the encrypted message and select Properties.Specify the certificate that BizTalk will use to decrypt the messages. Paste the thumbprint of this certificate into the thumbprint field in the Certificates section of the Host Properties dialog box. How it works... Encryption of messages in BizTalk occurs inside the Encode stage of a send pipeline. The MIME/SMIME Encoder pipeline component within the pipeline encrypts the message by using the public key of the communication partner(s). This key is stored in the Other People store on the machine of the host instance configured for the send handler. To enable encryption using the MIME/SMIME encoder, the Enable encryption property must be set to True. Furthermore, the Encryption algorithm can be set to DES, 3DES, or RC2. See the following diagram for the flow of a message from the MessageBox database being encrypted and sent to an external party: Decryption of messages in BizTalk occurs inside the decode stage of a receive pipeline. The MIME/SMIME Decoder pipeline component within the pipeline decrypts the message by using the BizTalk Server private key that is stored in the personal store of the service account of a host instance configured for the receive handler. See the following diagram for the flow of a message from an external party sending an encrypted message for publishing the decrypted message in the MessageBox database: There's more... The BizTalk Server supports encryption of outbound messages and decryption of inbound messages based on Secure Multipurpose Internet Mail Extensions (S/MIME). The BizTalk Server uses S/MIME version 3 for encryption of outbound messages, and S/MIME versions 2 and 3 for decryption of inbound messages. You can find more in the document Certificates that BizTalk Server Uses for Encrypted Messages at http://msdn.microsoft.com/en-us/library/aa559843%28v=BTS.70%29.aspx. The code project website contains a BizTalk project with guidance on securing messages with encryption in the document Secure Messaging Solution at http://www.codeproject.com/KB/biztalk/SecureMessaging.aspx. There is another good sample from Richard Seroter you can use as guidance for encryption and decryption of messages. It can be found in the blog post called Building a Complete Certificate Scenario With BizTalk Server 2006 at http://seroter.wordpress.com/2007/03/05/building-a-complete-certificate-scenario-with-biztalk-server-2006/. Alternatives for encryption can be BizCrypto for BizTalk. It offers adapters and pipeline components that integrate into the BizTalk Server. You can find more in the document Biztalk adapters and pipelines for secure data storage and transfer at http://www.eldos.com/bizcrypto/biztalk.php. See also Refer to the Importing certificates recipe earlier in this chapter

  

You are currently reading a PREVIEW of this book.

                                                                                                                    

Get instant access to over $1 million worth of books and videos.

  

Start a Free Trial


  
  • Safari Books Online
  • Create BookmarkCreate Bookmark
  • Create Note or TagCreate Note or Tag
  • PrintPrint